New password guidelines released by the ISO

by Elizabeth Parsons, IT Services

Having a strong password is the first line of defense against malicious actors attempting to access your private information. There are a few tried-and-true methods for creating a strong password, and soon, the Miami community will need to think a little more closely about the passwords they put on their MUnet accounts.

Lines of colorful code on a dark background

To this end, the Information Security Office has updated the password creation guidelines and standards for passwords associated with Miami University accounts. These new guidelines will help us keep Miami accounts safe in our ever-changing technological world of new hacking techniques and greater information security threats.

Let’s take a look at those new guidelines and see what, in fact, constitutes a strong password:

What is a strong password?

There are a few things to remember when creating strong passwords for your online accounts. The usual instructions apply:

  1. Don’t use the same password for more than one account
  2. Use a combination of letters, numbers, and special characters, or consider creating a passphrase that is easy to remember but hard to guess
  3. Never use personal information (such as your birthday or Banner+ number) in a password
  4. Create a longer password (more than 16 characters minimum)

Making sure to put some randomness into your password is key here. Don’t just put your name or your pet’s name, or even the street you grew up on. These are all values that a knowledgeable hacker would have an easier time guessing.

What is a passphrase?

One thing you can do to ensure a strong password is to create a “passphrase.” Passphrases are longer, generally easier to remember, and they are more secure than just a regular password.

“Using a long passphrase instead of a short password to create a digital signature is one of many ways that users can strengthen the security of their data, devices and accounts,” wrote TechTarget contributors Andrew Froehlich and Laura Fitzgibbons. “The longer a passphrase is, the more likely a user is to incorporate bits of entropy, or factors that make it less predictable to a potential attacker.”

A carefully constructed passphrase can incorporate enough entropy to make it nearly impossible to guess. For instance, the passphrase “correct horse battery staple,” as showcased in this classic XKCD comic, would take 550 years at 1,000 guesses per second to crack.

Put it in practice: New MUnet guidelines

The new MUnet password standards are intended to be applied to passwords used to access University owned or licensed devices, systems, services, or data. The requirements include responsibilities for end-users, procedural controls, and configurations for application and service implementations.

Here is a link to the new guidelines: Standard: Passwords.

The new requirements are an expansion of the current password standards to any kind of password you can have at Miami (not just your MUnet password). The document is also more in-depth than previous versions of these standards.

A general overview of the guidelines includes passwords that:

  • Must be 16 characters in length and composed of at least upper and lower case letters (numbers and special characters may also be used)
  • Must not be a password the user has used previously for the account knowingly used elsewhere
  • Must be changed at least every 5 years
  • Must be changed within 24 hours after being informed of a compromise, breach, or exposure of the password or of its hash
  • Must not be known by anyone other than the account holder
  • Must be stored in a secure manner. Insecure password storage includes storing on paper without physical protections, storing in unencrypted files, and storing in web browsers or applications. Password managers either cloud-based or host-based are considered secured

In addition to the password requirements, the document provides guidance for situations involving confidential and restricted data, administrator passwords, and mobile devices.

It’s important to note that the new standards are not yet mandatory; and in fact, some of the guidelines here aren’t able to be accomplished with our current systems (yet!). More information will be provided when the standards become mandatory for the greater Miami community.

For now, these guidelines are just that: a way to create stronger passwords for your Miami accounts. In the future, however, we will begin to enforce the password creation guidelines – so we can keep Miami accounts secure and protect your information and data.